Notes: adding and using a self-signed s/MIME email certificate to OSX Mail in Mountain Lion

This is just a scratchpad post to remind myself what I did to get a self-signed cert into Mail under OSX Mountain Lion.

This first post is all about using a self-generated cert — which will work fine unless you ALSO want to use it on an iOS device.  In which case, skip to the NEXT post, where I cracked the code of getting a Comodo cert installed on my Mac and my iPhone.  Sheesh, this is harder than it needs to be.

Generating a self-signed certificate

Click HERE to read the post that laid out the step by step process I followed to create that self-signed cert.  That post goes through the openssl commands to do the deed.  The instructions are written for a Windows user so I’ve rewritten them for a Mountain Lion user

  • Note: openssl is already installed on Mountain Lion, so you shouldn’t need to do any installation
  • make sure to create the cert with the email address you are using in Mail.  In addition, I used that email address as the answer to the “common name” request during the prompting that happens in the Certificate Request part of the process (Steps 2 and 3 below).  I’m not sure that’s required, but it’s part of the formula that worked for me.

Here are the command-line commands (mostly lifted from the blog post)

1.    Generate a RSA Private Key in PEM format

Type: (one time, just to drop into the openssl environment):



genrsa -out my_key.key 2048


my_key.key  is the desired filename for the private key file
2048  is the desired key length of either 1024, 2048, or 4096

2.    Generate a Certificate Signing Request:


req -new -key my_key.key -out my_request.csr


my_key.key is the input filename of the previously generated private key
my_request.csr  is the output filename of the certificate signing request

3.    Follow the on-screen prompts for the required certificate request information.

4.    Generate a self-signed public certificate based on the request.


x509 -req -days 3650 -in my_request.csr -signkey my_key.key -out my_cert.crt


my_request.csr  is the input filename of the certificate signing request
my_key.key is the input filename of the previously generated private key
my_cert.crt  is the output filename of the public certificate
3650 are the duration of validity of the certificate. In this case, it is 10 years (10 x 365 days)
x509 is the X.509 Certificate Standard that we normally use in S/MIME communication

This essentially signs your own public certificate with your own private key. In this process, you are now acting as the CA yourself!

5.    Generate a PKCS#12 file:


pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in my_cert.crt -inkey my_key.key -out my_pkcs12.pfx -name "my-name"


my_cert.crt  is the input filename of the public certificate, in PEM format
my_key.key  is the input filename of the private key
my_pkcs12.pfx  is the output filename of the pkcs#12 format file
my-name  is the desired name that will sometimes be displayed in user interfaces.

6.    (Optional) You can delete the certificate signing request (.csr) file and the private key (.key) file.

7.    Now you can import your PKCS#12 file to your favorite email client, such as Microsoft Outlook or Thunderbird. You can now sign an email you send out using your own generated private key. For the public certificate (.crt) file, you can send this to others when requesting them to send an encrypted message to you.

Importing a self-signed certificate into the OSX Keychain Access application

I double-clicked the .pfx (PKCS) file that I’d just created.  That fired up the Keychain Access app and loaded it into the keychain.   I told it to trust the cert when it asked about that.

Getting OSX Mountain Lion Mail to recognize the self-signed certificate

Part of what derailed me in this process was that the transition from Lion to Mountain Lion eliminated the account-setup option to select a cert.  It’s automatic now.  So if the email address that’s in the cert matches the email address of the account, the s/MIME capability simply appears when composing a new message.  But in order for this to work, there’s one step needed in order to pull the cert in:

  • restart the Mail app